HSCIC is sharing data of patients who opted out of care.data

Patients who wanted to opt out of the NHS’s hotly-debated care.data programme should have their wish granted by January 2016 – but their data may still be being released by HSCIC.
Around 700,000 patients decided that they did not want their data shared with third parties after a leaflet was sent to households in England back in January 2014, explaining that they had a choice.

The leaflet itself – and the way the care.data programme has been introduced – has been questioned by doctors and privacy campaigners since its inception, with many claiming that HSCIC had still not answered lingering questions about patient privacy, most notably where the data will end up, and how it would remain anonymised.
And while general awareness of the programme and its motives have also been questioned, it was thought that HSCIC would at least grant those who wanted to opt-out of data sharing with their wishes. Instead, according to a letter sent to HSCIC chair Kingsley Manning from the Information Commissioner’s Office, the opt-outs remain on GP practice systems and details of which patients have opted out have never been sent to HSCIC.
“This means that the opt-outs have not been actioned and those patients personal data continues to be released by HSCIC,” said Dawn Monaghan, group manager of public services at the ICO.
Monaghan said that based on the information provided by HSCIC, the organisation had not complied with the first principle of the Data Protection Act.
“[HSCIC] has continued to share patient data with organisations for purposes other than direct care after patients were offered an opt-out and significant numbers of patients objected to their data being used in that way,” she said.
But the ICO had sympathy for the “difficulties that HSCIC had experienced”, namely, that directions had not been issued to HSCIC to extract any of the data – either for the care.data programme, the type 1 opt-out (whereby no information other than for direct care purposes would leave the patients’ GP practice) or the type 2 opt-out (where no identifiable information held by the HSCIC would be passed to a third party).
It said that it had a positive level of engagement from HSCIC and would therefore propose an undertaking rather than issue an enforcement notice.
“An undertaking is not a statutory regulatory power but a formal undertaking can be given by an organisation to the ICO committing the organisation to a particular course of action or otherwise achieving compliance,” the ICO states.
It urged HSCIC to implement the type 2 objections and inform those affected in a clear and accessible way.

CATEGORIES

Cyber Parse was created to provide knowledge to help everyone understand and deal with the ever increasing threats we all face by Cyber Crime (Malware, Social Engineering, Phishing and hacking).
Our purpose is to provide the right information to our readers by breaking down and communicating knowledge relating to Cyber Crime, Cyber Security, Information Security and Computer Security, then using Risk Management practices to help translate the technical aspects of the Risks, Threats, Vulnerabilities and controls to reduce the risk into business language.